The Lessons Learned on a Training Site

by Metalx1000

About four months ago, my employer hired an out of state company to set up a website.

My job requires constant training.  We are required to meet a minimum number of training hours each year.  This new website was designed to help us keep track of classes we need to take as well as the number of hours we have already put into training.

I had been pushing for my department to start going web-based.  Currently we're using FileMaker Pro on some not-too-fast machines.  So, I was hoping that using lighter weight web applications would help speed things up.  I was also hoping to turn them in the direction of open-source and Linux at some point down the line.  If everything we used was web based, it would help the transition.

Although I was hoping to design the site myself and host it locally, I was still happy to see us heading in that direction.  That is, until the first time I tried to log on to the site.  I typed in my username and password.  I hit Enter.  Nothing happened.  I clicked the "Login" button.  Still nothing.  So I decided to look at the page's source code.  I saw what the problem was right away.  They were using VBScript.

Now, I think VBScript is great for automating things on a Windows machine.  But, no web designer would use it on a web page.  When designing a web page, one of the main goals should be to make it as compatible with as many web browsers as possible.  VBScript only works in Internet Explorer.  I'm using Firefox on a Linux box.  I could install Internet Explorer through Wine.  But I was not about to do that.

With the option of using Internet Explorer off the table, I had to find another way to get this site to work for me.  I needed a way to change the VBScript to JavaScript for my use.  Firefox add-ons to the rescue!

I was able to easily change the VBScript to JavaScript with the Firefox add-on called Firebug.  Firebug allows you to change the code of a page you are viewing once it is loaded.  It only changes it in your browser for that one time, but it did the job.  Although I found a workaround for myself, I still sent the site designer an email informing him of the issue.  He replied quickly and told me that he was aware of the issue and he was working on changing out all of the VBScript.

I found that a number of the pages on the site once I logged in had VBScript in them.  I rewrote the script for three of the pages and emailed them to the designer.  He thanked me and told me once he looked them over, he would replace the old code on the site.  That was three months ago.  He has not changed a thing.

So, to get the site to work for me, I was constantly having to look at the code and find workarounds.  While doing this, I found a number of security problems.  I informed my employer of the issues and I was told to make a list and email it to them.  I continued to look through the code on the site and I made a pretty long list.

The things I found were interesting.

There was no real security on the site at all.  They were just giving the illusion of security.  It started out simply.  I noticed that when you clicked the Logout button at the top of the page, all it did was bring you back to the home page.  If you were to click "back," you would find yourself still logged in.

From this point on I'm going to refer to the site as: http://trainingsite.com

To login, I had to post a username and password to: http://trainingsite.com/login_reverify.asp

I found that if I posted a blank username and password, it would log me in as "Tom Smith."

At first, I felt bad for Tom Smith.  But I later found out that it was not really his account.  When I went to his personal info page, I found it all blank.  But I had also noticed while looking at the code of the personal info page, there was a hidden variable called: employeeid

Tom Smith's was 127.  When I logged in as myself, the employeeid variable was 52.

So I once again logged in to Tom Smith's account and used Firebug to change the employeeid variable to 52.

Then I entered an email address from 10minutemail.com and submitted the form.  I then went to the "I forgot my password" page and entered the fake email address.  In about a minute, I received my username and password.

Knowing this, I tried it again but entered 1 for the employeeid.

What did I get when the email arrived?  Username: sysadmin and password: sysadmin

That is right.  If I was to start guessing usernames and passwords, I would have gotten in and it would have only taken a few minutes.  I now had the ability to change the site settings.  The whole thing was at my control.

I could also see everyone's email addresses and passwords.  I found that there were two Tom Smiths listed and the one I was able to access without a username or password was not the real Tom Smith.

Most people had kept their default username and password, which was the first letter of their first name and their last name (Example: tsmith) for both username and password.

I felt bad for the few people who were smart enough to change their password.  Hopefully they know enough not to use the same password for their email accounts.  Otherwise, anyone who figured out what I did would have access to their email accounts.

I sent all this information to my employer.  Nothing has been done yet and it has been weeks.

But, when you are surfing the web, keep this in mind...  VBScript should not be used on a web page.

If it is being used, the site designer most likely has little knowledge on web designing and most likely just took some class so he could make a few bucks.

When you see VBScript being used, poke around.  You just might find something.